Tutorial: Alarm Mode

Contents

Description

This tutorial details the use of the Alarm mode of the Anteater, which enables the user to produce plugin controlled flow release. Hence, any plugin can invoke an internal signal to release a specific flow, otherwise no flows are produced. An easy way to transform T2 into an elaborate NIDS. The following plugins implement currently the alarm mode:

dnsDecode (if a DNS name is detected in a black list)

regex_pcre (if a regex triggers)

Moreover, with the help of the plugin pcapd you can also extract all packet of a flow processed after the specific alarm.

Preparation

In order to do so, we need to prepare T2. If you did not complete the tutorials before, just follow the procedure described below.

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins and compile only basicFlow, basicStats, tcpStates, dnsDecode and txtSink.

To enable the alarm mode switch from ALARM_MODE 1 as shown above. Several plugins can trigger an alarm concurrently, as we do not know what kind of plugin armada you might develop in future. So the ALARM_AND switch denotes whether the flow release is triggered by a logical AND or OR. So either all alarm registered plugins must agree that this is worth a flow or either one can release a flow. The default value is OR, so any plugin can release a flow. Edit tranalyzer.h or use t2conf. Recompile T2 including all existing plugins.

Plugin Alarm Register and Control

Let’s look at the dnsDecode plugin to illustrate the principle. It is capable to look for malware domains/IPs from a blacklist. This can be combined with the alarm mode, so that only the malware flows are released.

The file maldomain.txt contains a list of malware domains, not the newest, so feel free to compile your own. There are lots of lists online available. autogen.sh or t2build will convert that list into a T2 formatted list maldm.txt and copy it under your ~/.tranalyzer/plugins directory. More about that later when we edit the maldomain.txt list.

I added here the runlove.us entry with a categorization, I picked a ludricous one. In any case, you can download your own domain list, rename it to maldomain.txt and recompile with t2build -f or invoke the dmt script under the utils directory of dnsDecode and copy it under ~/.tranalyzer/plugins. If you invoke t2build -f, it will download a new list and overwrite your changes. So invoke the following commands:

A warning at the end reports the total of alarms and alarm flows. So two alarms in two flows total and all are comming from dnsDecode, because it is the only plugin loaded. The corresponding flows can be inspected in the flow file via a simple tawk statement. You see the detected runlove.us request and our type description in the two flows being written to the flow file out of 68 flows total.

Alarm controlled packet extraction

The pcapd plugin discussed in pcap extraction is either controlled by the -e option aka an external flow index file or if omitted by an internal flag FL_ALARM in the flow and global status. If one or more plugins set that bit pcapd will then extract all packets of that flow following the appearance of the FL_ALARM. Unfortunately, we cannot store all packets before that alarm, so they do not appear in the flow file. The packet mode has no alarm mode, so all packets will appear.

In order to inform pcapd to extract packets from flows dnsDecode has to produce a signal at packet level, So switch MAL_TEST 2 in dnsDecode.h and add pcapd, or use the following commands:

AlarmYourOwn

If you intent to integrate the ALARM mode in your own plugin, refer to implementing alarm mode. And don’t forget to reset t2 and dnsDecode for your next tutorial, so that your output always matches the one on the webpage.